OpenStaticFish/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: migrate cluster baseline from Hetzner to Proxmox
Deploy Cluster / Terraform (push) Failing after 52s
Details
Deploy Cluster / Ansible (push) Has been skipped
Details
Deploy Grafana Content / Grafana Content (push) Failing after 1m37s
Details

Browse Source 
Replace Hetzner infrastructure and cloud-provider assumptions with Proxmox
VM clones, kube-vip API HA, and NFS-backed storage. Update bootstrap,
Flux addons, CI workflows, and docs to target the new private Proxmox
baseline while preserving the existing Tailscale, Doppler, Flux, Rancher,
and B2 backup flows.
This commit is contained in:
MichaelFisher1997
2026-04-22 03:02:13 +00:00
parent 6c6b9d20ca
commit b1dae28aa5
40 changed files with 577 additions and 784 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SECRETS_SETUP.md
+14 -7
View File
@@ -1,6 +1,6 @@
# Gitea Secrets Setup
This document describes the secrets required for the HetznerTerra deployment workflow.
This document describes the secrets required for the Proxmox-based deployment workflow.
## Required Secrets
@@ -9,10 +9,17 @@ Add these secrets in your Gitea repository settings:
### Infrastructure Secrets
#### `HCLOUD_TOKEN`
- Hetzner Cloud API token
- Get from: https://console.hetzner.com/projects/{project-id}/security/api-tokens
- Permissions: Read & Write
#### `PROXMOX_ENDPOINT`
- Proxmox VE API endpoint
- Example: `https://100.105.0.115:8006/`
#### `PROXMOX_API_TOKEN_ID`
- Proxmox API token ID
- Example: `terraform-prov@pve!k8s-cluster`
#### `PROXMOX_API_TOKEN_SECRET`
- Proxmox API token secret
- Create with `pveum user token add terraform-prov@pve k8s-cluster`
#### `S3_ACCESS_KEY` & `S3_SECRET_KEY`
- Backblaze B2 credentials for Terraform state storage
@@ -31,7 +38,7 @@ Add these secrets in your Gitea repository settings:
#### `SSH_PRIVATE_KEY` & `SSH_PUBLIC_KEY`
- SSH key pair for cluster access
- Generate with: `ssh-keygen -t ed25519 -C "k8s@hetzner" -f ~/.ssh/hetzner_k8s`
- Generate with: `ssh-keygen -t ed25519 -C "k8s@proxmox" -f ~/.ssh/infra`
- Private key content (include BEGIN/END lines)
- Public key content (full line starting with ssh-ed25519)
@@ -90,4 +97,4 @@ Check the workflow logs to verify all secrets are being used correctly.
- Prefer Doppler for runtime app/platform secrets after cluster bootstrap
- Rotate Tailscale auth keys periodically
- Review OAuth client permissions regularly
- The workflow automatically opens SSH/API access only for the runner's IP during deployment
- CI expects direct SSH access to the Proxmox VMs and direct Proxmox API access